The LuxSci FYI Blog

by Erik Kangas, PhD, CEO

Security: A Year in Review: 2012

Over the last 12 months, LuxSci has added many new features, enhanced services, and improved usability. We have also made a large numbers of security and privacy improvements.

Some of the most conspicuous of these include changes to User Account Access, HIPAA Security, SecureForm, Backups, Restores, Email Security, Credit Card Security, Auditing, Security of Support Access to Data, Web Hosting, and Firewalls.

Configurable emailed alerts of successful logins to IMAP, POP, SMTP, WebMail, FTP, SFTP, SSH, and SCP services. Be informed quickly if there are any successful logins – to be sure that they are authorized.

The list of recommended user Security Questions has been revised to include only questions whose answers are not easily found online or by being a close friend or family member.

All users of the LuxSci Web Interface are required to add a security question and answer to their account for identity verification purposes.

Administrators can enable policies requiring users to change their passwords as specified frequencies (e.g. every 90 or 180 days) and can ensure that old passwords are not reused.

Administrators can customize the lockout of the Web Interface in response to password guessing attempts. E.g. how many failures results in a lockout of how long?

HIPAA

LuxSci now supports “per-domain” HIPAA accounts. These have a “good” level of enforced security for all users and a further locked down “HIPAA-Compliant” level for selected domains. This makes it possible to manage secure and insecure email in the same account.

SecureForm

SecureForm form data collection and processing service now supports automatic delivery of files and data posted from your forms to your own servers via Secure FTP (SFTP).

Backups and Restores

Administrators can now make backups of their MySQL databases “on demand” and can restore databases from backups when needed, through our Web Interface.

Email Security

All new S/MIME certificates use 2048-bit keys (instead of 1024-bit keys).

Users can force the use of SecureLine Escrow over TLS for added security or access auditing as needed.

LuxSci Supports DKIM for inbound and outbound email to detect and prevent email forgeries and to help mitigate spam.

Credit Card Security and Privacy

LuxSci’s processing of credit card data remains PCI-compliant. Credit card data is never stored on or transmitted through any of LuxSci’s servers. It is also not accessible to LuxSci staff or present in any of LuxSci’s backups. Customer credit card data is safe from even a complete system compromise.

LuxSci Support Staff

LuxSci Support staff have to change their passwords every 90 days and cannot reuse old passwords

LuxSci staff must use 2-factor authentication for performing any Support activities on any Customer account or to gain any kind of administrative access to a server.

All 2-factor access is logged and this logging happens at a separate facility that Support staff does not have access to, and where the logs cannot be tampered with.

Web Hosting

Shared web hosting servers now have improved denial of service protection via mod_evasive.

Secure FTP support is improved and possible access to SSH service is much more limited.